The PAM U2F module supports authentication using the FIDO Universal 2nd Factor open standard protocol. For more information about U2F, you can access the full U2F Specifications on the FIDO Alliance website.

Required

How it works

When logging into an SSH enabled server with any standard SSH client, the user will be required to use their YubiKey to send a One-Time Password (OTP) along with their account username and password. The SSH Server, upon validating the SSH user and password, will pass the OTP provided by the YubiKey to the Yubico authentication server. Upon validation of the OTP, the user will be able to login to the SSH server and proceed as normal.

The two-factor SSH authentication supported by Yubico PAM can accommodate a wide range of solutions. A single account can have multiple YubiKeys assigned to it, allowing multiple users access to the same account, or a single YubiKey can be assigned to multiple accounts.

Yubico PAM supports both Administrator and User level configuration for YubiKeys. The assigning of YubiKeys to user accounts may be limited only to the SSH server administrator, or a number of YubiKeys may be assigned to a single user and managed by that user. Both methods of assigning YubiKeys to SSH users can be supported simultaneously.